Joseph has a long history in event coordination; nearly 20 years of bringing infosec and Cyber Security education and events to attendees. The Texas Cyber Summit was created for the future. The San Antonio Cyber community is the second largest in the nation, and the Texas Cyber Summit hopes to help expand the number of Cyber Security professionals and those interested in pursing a career in the field. Education, Community, Involvement and training are the key.

Internet
communications is cyclic; provisioning and security decisions are
not made with one-off traffic units in mind. Traditional in-path
firewalls are for this reason often stateful, but the value-add
from such state-keeping comes with a healthy downside: the
state-keeping is a new attack surface. Given the fate-sharing
that goes on behind a firewall, if an attack against some
internal resource has the capability of bringing the firewall
down and thus affecting other internal resources, then the
firewall implicitly becomes an effective force-multiplier for the
attacker. There are other ways to do security, which take better
account of an attacker's capabilities and alternatives. For
example, protocol-aware rate limiting may offer cheaper
deployment cost with a better worst-case outcome.

Network accessible medical devices are ubiquitous in today’s
clinical environment. These devices can be of great aid to
healthcare professionals in assessing, treating and monitoring a
patient’s condition. However, they can also fall victim to a
number of systemic vulnerabilities that can expose personal
health information or PHI, compromise the integrity of patient
data in transit, and affect the availability of the devices
themselves.

This talk looks at the methodology and
approach to penetration testing of modern medical devices. It
will provide an overview of the various stages of a medical
device assessment, including discovery and analysis of a device’s
remote and local attack surface, reverse engineering and
exploitation of proprietary network protocols, vulnerability
discovery in network services, compromising supporting systems,
attacking common wireless protocols, exploitation of hardware
debug interfaces and bus protocols and assessing proprietary
wireless technologies.

It will also cover a number
of real world vulnerabilities that the speaker has discovered
during medical device penetration testing assessments. These
include weak cryptographic implementations, device impersonation
and data manipulation vulnerabilities in proprietary protocols,
unauthenticated database interfaces, hardcoded credentials/keys
and other sensitive information stored in firmware/binaries and
the susceptibility of medical devices to remote denial of service
attacks.

The talk will conclude with some
suggestions on how some of the most common classes of medical
device vulnerabilities might be remediated by vendors and also
how hospitals and other healthcare providers can defend their
medical devices in the meantime.

Robert Portvliet is technical
director of red team services at Cylance with over 8 years’
experience in various disciplines of penetration testing. His
focus is on embedded systems and wireless penetration testing
and reverse engineering. Prior to joining Cylance, he was the
network security service line lead for Foundstone and taught
the ‘Ultimate Hacking: Wireless’ class at Blackhat 2011-2013

How many
organizations have an effective strategic threat intelligence
operation? Many have failed and many struggle to obtain executive
buy in or even mild interest in any of their cyber threat
intelligence reports. By examining the history of the POTUS's use
of intelligence, some powerful lessons can be learned. For
instance, one president created and relied on his own private
intelligence group of peers. Another president ignored SIGINT
completely because of a preference for "cloaks and daggers". Yet
another president, told the intelligence community their analysis
will support a decision he has already made! These are all
important insights into executive leadership, their psychology,
and how best to serve their intelligence needs. This presentation
will highlight and summarize several key lessons which can be
applied to create or improve upon a strategic threat intelligence
program.

Paul Jaramillo has over ten years of experience conducting
incident response and enterprise security operations,
including a career with the U.S. Department of Energy’s
National Nuclear Security Administration. As a Principal
Consultant based out of CrowdStrike’s St. Louis office, Paul
participates in customer engagements ranging from breach
response to proactive compromise and adversary assessments.
Along with the Midwest office, Paul helps customers in taking
the fight to the adversary.

Prior to his work
at CrowdStrike, Paul was Sr. Manager of IT Security for a
Fortune 500 energy company. In this role, he led a global team
responsible for incident response, digital forensics, IT
security risk management, security operations, and security
awareness. Paul also was responsible for building a 10 person,
24/7 global incident response capability at a Fortune 100
international manufacturer. In addition, he has spent time on
the offensive side of security as a pen tester for a Fortune
10 conglomerate, as well as 10 years in the telecommunications
industry.

Paul has a Bachelors of Business
Administration in Management Information Systems from the
University of Oklahoma, which he attended as a National Merit
and Regents scholarship recipient. Paul currently holds his
CISSP and GCFA certification and has previously held EnCE,
CCNA, and C|EH certifications. While working for the
government, he held both DoD Top Secret and DoE Q clearances.
Paul is also the founder of the St. Louis security conference
ArchCON. Paul has most recently spoken at BsidesNOLA, ArchCon,
BsidesSanDiego and the SANS Threat Hunting Summit.

Not matter what APT
threat actor operate in the victims network, there is something
in common they share and it's Internet for data exfiltration. I'd
like to present a few Anti-APT techniques used by the threat
actors in LatAm, Eastern Europe and other regions to bypass
detections. All techniques are from real campaigns we track on.

Dmitry Bestuzhev Head of Global
Research and Analysis Team for Latin America, Kaspersky

Dmitry Bestuzhev serves as Head of Kaspersky Lab’s Global
Research and Analysis Team for Latin America, where he
oversees the anti-malware development and investigations of
the company’s experts in the region. Dmitry joined Kaspersky
Lab in 2007 as a Malware Analyst and was responsible for
monitoring the local threat landscape and providing
preliminary analyses before going on to become Senior Regional
Researcher for the Latin American region in 2008. In 2010, he
was appointed to his current role.

In addition
to supervising the work of the network of experts in Latin
America, Dmitry’s current role also includes producing reports
and forecasts for the region and is frequently sought out by
international media and organizations for his expert
commentary on IT security. Dmitry’s wide field of expertise
covers everything from online fraud, through the use of social
networking sites by cybercriminals, to corporate security and
cyberwar and cyber espionage. Additionally, Dmitry
participates in various educational initiatives throughout
Latin America.

Dmitry has more than 17 years of
experience in IT security across a wide variety of roles and
is fluent in English, Spanish and Russian. He’s been working
in analysis of targeted attacks for financial institutions,
producing intelligence reports.

Detecting callouts
to command-and-control (C2) servers used to be straightforward,
but attackers in your network have found ways to communicate with
the outside world even under the heaviest of scrutiny. In this
talk, we discuss ways to use popular websites as means of getting
commands and exfiltrating information. We examine the
applications of asymmetric communication, from
Internet-accessible computers to embedded devices to air-gapped
systems. Finally, we give some suggestions to defenders, and
discuss how to detect and mitigate risks that enable asymmetric
malware.

Brandon Arvanaghi Security
Engineer, Gemini

Brandon Arvanaghi is a
security engineer at Gemini. Before Gemini, Brandon was a
security consultant at Mandiant. Brandon has written tools to
detect webshells, obfuscated malware, and to evade sandboxes
in every language. He is the author of SessionGopher,
CheckPlease, and a contributor to PowerShell Empire. Prior to
working in the security industry, Brandon conducted research
on automated attack plan generation at Vanderbilt University.

Detecting callouts
to command-and-control (C2) servers used to be straightforward,
but attackers in your network have found ways to communicate with
the outside world even under the heaviest of scrutiny. In this
talk, we discuss ways to use popular websites as means of getting
commands and exfiltrating information. We examine the
applications of asymmetric communication, from
Internet-accessible computers to embedded devices to air-gapped
systems. Finally, we give some suggestions to defenders, and
discuss how to detect and mitigate risks that enable asymmetric
malware.

Andrew Johnston Proactive
Consultant, Mandiant

Andrew Johnston is a
proactive consultant with Mandiant, a division of FireEye. His
work focuses on gaining access to critical places and systems
through covert tactics. Andrew also is the lead researcher of
a team at Fordham University focused on using artificial
intelligence to solve problems in the counterterrorism and
national defense sphere. He holds a bachelor's degree from
Fordham University with a dual major in computer science and
applied mathematics.

The security industry has been talking about powerful concepts
like good threat intelligence and attacker cost for a long time
now, but most organizations are not using these concepts in their
security programs, causing them to waste money, time, and energy
on efforts that do not stop real attackers.

In
this talk, we describe a security program built around adversary
intelligence that actually matters. We describe how this program
generates more accurate and precise priorities and objectives. We
demonstrate how these new risk profiles, attacker playbooks, and
attacker cost models can help inform better controls, strategies,
and policies.

We focus on picking the controls
that are most effective at reducing the risk of successful
execution of the playbooks that attackers use everyday. This is
only possible with a security program built around attacker
intelligence.

We take a deep dive into the
practicalities of implementation of these concepts at your
organization. What metrics matter to show to management, how this
impacts hiring, and how this modifies core workflows in the
security team.

Finally, we will close with some of
the concrete challenges we encountered in implementing this
program and some suggestions on how to work around them.

Julian Cohen is a risk
philosopher. He has passion for creating thoughtful and
effective security programs. Julian has been making a name for
himself speaking about attackers and the necessity of focusing
on offensive security tactics ever since he popped into this
world. He is also putting all these ideas into practice at his
startup, "Automatic Playbook Testing." In a previous life,
Julian was a super spy hacker and an urban explorer.

The security industry has been talking about powerful concepts
like good threat intelligence and attacker cost for a long time
now, but most organizations are not using these concepts in their
security programs, causing them to waste money, time, and energy
on efforts that do not stop real attackers.

In
this talk, we describe a security program built around adversary
intelligence that actually matters. We describe how this program
generates more accurate and precise priorities and objectives. We
demonstrate how these new risk profiles, attacker playbooks, and
attacker cost models can help inform better controls, strategies,
and policies.

We focus on picking the controls
that are most effective at reducing the risk of successful
execution of the playbooks that attackers use everyday. This is
only possible with a security program built around attacker
intelligence.

We take a deep dive into the
practicalities of implementation of these concepts at your
organization. What metrics matter to show to management, how this
impacts hiring, and how this modifies core workflows in the
security team.

Finally, we will close with some of
the concrete challenges we encountered in implementing this
program and some suggestions on how to work around them.

Justin Berman is the CISO of
Zenefits, but he’s not your typical CISO. Justin thinks very
deeply about security concepts and processes that most take
for granted. Reflecting on every detail of his program allows
him to make more informed decisions where it matters most.
Justin cares genuinely about the wellbeing of his team and the
efficacy of his program. In a previous life, Justin was a
professional photographer and a professional chef.

Adversarial Simulation, Red Team, Threat Emulation, Blue Team,
Targeted Attack Simulation, Purple Team or Gold Team - So many
labels and buzzwords. No matter what you call it or whatever
color shirt you wear / team you identify most with - this talk
offers something for you; no matter the camp you are in.

At MWR we've spent many years robbing banks, pulling off casino
heists, breaching merchants, bringing down Critical National
Infrastructure (CNI), flooding mines, stealing all the things and
doxing big corps. But more importantly, we've also helped many of
those clients make sure none of the stuff we did, could happen
for real.

This presentation will take you on a
journey showing you how our TTP's have evolved over the past few
years - why we've evolved them, what works now, what doesn't and
why - we'll also give you insights into what's coming next. There
will be takeaways for everyone - whether your looking to up your
offensive game, or as a defender looking to get a heads up on
whats gonna be hitting you soon (as well as what to do about
it!).

Having delivered assessments all around the
world over several years; as part of and separate to regulatory
frameworks such as CBEST, TIBER, iCAST, we've sparred with some
heavy hitters and a lot of lessons have been learned - we'd like
to share some of these with you. There might just be some
entertaining tales too - like that one time we were fingered as a
new and shiny Russian APT...

After obtaining an
initial foothold on an environment, attackers are forced to
embark in lateral movement techniques in order to be successful
in identifying and exfiltrating sensitive information. To stay
ahead of the bad guys, the Blue team needs to have a clear
understanding of these techniques as well as the forensic
artifacts these techniques leave behind on the victim hosts.
Armed with this knowledge, we can proactively hunt for lateral
movement in the environment before exfiltration can occur. This
presentation will analyze Lateral Movement from both a Red and
Blue team perspective and introduce Oriana, a lateral movement
hunting tool that can assist the Blue team in catching the
adversary.

Mauricio Velazco

Mauricio Velazco (@mvelazco)
is a Peruvian, Infosec Geek who started his career as a
penetration tester and moved to defense 5 years ago. He
currently leads the Threat Management team at a financial
services company in New York.

Many organizations
participate in Security Awareness training. Whether it is
something that is produced internally or supplied by a
third-party vendor, the goals are the same: educate the user to
prevent becoming the next big breach in the news. We all know the
phrase ‘you can’t patch humans’, but what metrics can we use to
see if our awareness efforts are effective? Believe it or not,
Security Analysts have access to a lot of valuable information
that can show us just how effective these programs are… and no,
I’m not just talking about the results of your last phishing
campaign.

Kendra Cooley Senior Security
Operations Engineer, MailChimp

Kendra has over five years of experience in several areas of
Information Security including user administration, security
operations and compliance. She focuses primarily on Incident
Response and user education. Kendra holds a Bachelor’s degree
in Digital Forensics and the CISSP certification.

Kendra speaks regularly at Security related events and is an
advocate for practicing proper security hygiene. In her free
time she enjoys drinking wine and memorizing movie lines.

Cranes, trains,
building controls, oil rigs, and …ceiling fans? Recent
developments have made secure wireless protocols more common, but
the fact is there’s still a swarm of simpler RF controls in the
wireless world around us. Luckily, the onset of Software Defined
Radios (SDRs) means analyzing these insecure signals is easier
than ever! We'll explore the basics of capturing and reversing
simple RF control signals with the affordable RTL-SDR. With a
little exploration through this menagerie of signals, we can
unravel the mysteries of their operation and better understand
what risk they pose to the environments we protect.

These days, most
adversaries will attempt to run code somewhere on your network in
order to establish a command and control channel; application
whitelisting is a key security control. This talk will
demonstrate a number of common and less common techniques for
being able to run code or interact with a locked down
environment, seen through the eyes of an operational simulated
attacker.

Advanced mathematics
made simpler: Spectral Hypergraph Analysis for mortals. Imagine
lighting up and "shining" your network logs through a special
prism that would separate behaviors into a "spectrum" that would
indicate to you things that are going on on your network. Some of
the those things might be important discoveries with security
implications. Doing this would be like how astronomers determine
the materials that are burning in a distant star, using a special
telescope to get the spectrum of that star's light. It turns out
that there is a mathematical way to do this on network logs,
involving a generalization of the Fourier Transform over high
dimensional graphs. This talk will explain this technology in
accessible ways, and show examples of its use in discovering "bad
stuff" on a very large network.

Richard Lethin is President
at Reservoir Labs, a private research laboratory in New York
City. Reservoir performs R&D for in the area of high
performance computing, which includes projects developing new
technologies for high speed communication processing with
applications to cyber security. Some of these results are
available as products, including the ENSIGN tensor
decomposition tool and the R-Scope networks sensor. Richard
formed Reservoir after completing his Ph.D. at the MIT AI
Laboratory in 1997, where for his thesis he contributed to the
development and analysis of a massively parallel
message-driven computing system called the J-Machine, under
the supervision of Professor William Dally. Prior to MIT,
Richard worked as an engineer at the startup company
Multiflow, founded by Dr. Josh Fisher, John O’Donnell and John
Ruttenberg, that developed the world’s first of the now
ubiquitous Very Large Instruction Word (VLIW) computer
architectures, and where he was responsible for the floating
point data paths. Richard is also Associate Professor
(Adjunct) in Electrical Engineering at Yale, where he teaches
courses including Computer Architecture for Cognitive
Computing.

YARA has recently included a module that enables researchers the
creation of more fine grained rules for malware written for the
.NET framework. These files contain valuable metadata embedded
which can enable us to pinpoint a specific threat and reduce our
number of false positives detections.

This
presentation will focus on the peculiarities of obtaining
indicators of compromise from .NET malware samples and writing
reliable YARA rules using its latest module. I’ll be showing real
world examples and releasing a convenient tool that can query
metadata information from large sets of .NET files

Santiago Pontiroli joined
Kaspersky Lab as a Security Researcher in October 2013. His
principal responsibilities include the analysis and
investigation of security threats in the SOLA region (South of
Latin America), web application security, the development of
automatization tools stemming from threat intelligence studies
and the reverse engineering of programs with malicious code.

In recent years more services and people have moved to two-factor
authentication. While everybody loves talking about the
advantages of 2FA, little attention has been given to its
downsides. Attackers have started adapting to ubiquitous 2FA and
are finding new ways to take over accounts ranging anywhere from
email to online banking and (crypto currency) trading services.

In this talk we will show how attackers can exploit
various 2FA and account recovery implementation issues to hijack
accounts. We will also propose defensive measures for both
architects and end-users.

Roel Schouwenberg The Celsus
Advisory Group

Day 2

Track 1 3SAB CYBER 101

Track 2 3ES4 RED TEAM TOOLS & TACTICS

Track 3 3ES2 BLUE TEAM DEFENDERS

Track 4 3ES5 BREAKING CYBER

Track 5 3SAB SCADA - CRITICAL INFRASTRUCTURE

Villages & Events

0800

0900

Location

Registration / Coffee An arrangement of fresh fruit, granola bars and danish will be
provided

FLOOR 2 - TEXAS BALLROOM/PRECONVENTION AREA

0900

1000

Location

Keynote

Mr. Speaker

Well known Person

Speaker 1

Well known Person

FLOOR 2 - TEXAS BALLROOM

1000

1100

Location

1100

1200

Location

Talk

Agent1

Security Title

FLOOR 3 - 3SAB

Talk 001

Agent

Security Company

FLOOR 3 - 3SAB

Talk

MS. Speaker

Title

FLOOR 3 - 3ES4

Talk

MS. Speaker

Title 1.

FLOOR 3 - 3ES4

Talk

Mr. Speaker

Title.

FLOOR 3 - 3ES2

Talk 6

Mr. Speaker

Title Co.

FLOOR 3 - 3ES2

Talk 0

Mr. Speaker

Company XYZ

FLOOR 3 - 3ES1

Talk

Mr. Speaker

Company XYZ

FLOOR 3 - 3ES1

Advanced Threat Hunting on an ICS Network

ICS 202

2 Hr Hands on
Training & Labs

Mr. Dan Gunter

Principal Threat Analyst

FLOOR 3 - 3ES5

Hackers
Heaven

Soc Defender

Capture the
Flag

Hackers
Heaven

Soc Defender

Capture the
Flag

1200

0100

Location

LUNCH

FLOOR 2 - TEXAS BALLROOM

0100

0200

Location

Talk t1

Speaker

Title

FLOOR 3 - 3SAB

Talk t2

Mr. Speaker

Title.

FLOOR 3 - 3ES4

Talk t3

MS. Speaker

Title

FLOOR 3 - 3ES2

Talk t4

MS. Speaker

Title

FLOOR 3 - 3ES1

Talk t5

Mr. Speaker

Title

FLOOR 3 - 3ES5

Hackers
Heaven

Soc Defender

Capture the
Flag

0200

0300

Location

Talk t1

Speaker

Title

FLOOR 3 - 3SAB

Talk t2

Mr. Speaker

Title.

FLOOR 3 - 3ES4

Talk t3

MS. Speaker

Title

FLOOR 3 - 3ES2

Talk t4

MS. Speaker

Title

FLOOR 3 - 3ES1

Talk t5

Mr. Speaker

Title

FLOOR 3 - 3ES5

Hackers
Heaven

Soc Defender

Capture the
Flag

0300

0330

Location

Break #2An
arrangement of fresh fruit, granola bars and danish will be
provided

FLOOR 2 - TEXAS BALLROOM / PRECONVENTION AREA

0230

0330

Location

0330

0430

Location

Talk

Agent: 1

Security Title

FLOOR 3 - 3SAB

Talk

Agent: Speaker

Security Company

FLOOR 3 - 3SAB

Talk 00

MS. Speaker

Title Co.

FLOOR 3 - 3ES4

Talk

MS. Speaker

Title Co.

FLOOR 3 - 3ES4

Talk

Mr. Speaker

Title Co.

FLOOR 3 - 3ES2

Talk

Mr. Speaker

Title Co.

FLOOR 3 - 3ES2

Hand on Lab

ICS 201

2 Hr Hands on Training & Labs

Mr. Speaker

Title.

FLOOR 3 - 3SAB

Talk

Mr. Speaker

Company XYZ

FLOOR 3 - 3ES5

Talk

Mr. Speaker

Company XYZ

FLOOR 3 - 3ES5

Hackers
Heaven

Soc Defender

Capture the
Flag

Hackers
Heaven

Soc Defender

Capture the
Flag

0430

0530

Location

0530

0630

Location

Talk

Agent: Speaker

Security Title

FLOOR 3 - 3SAB

Talk

Agent: Speaker

Security Company

FLOOR 3 - 3SAB

Lab

ICS 201

2 Hr Hands on Training & Labs

Mr. Speaker

Title.

FLOOR 3 - 3SAB

Talk

MS. Speaker

Title Co.

FLOOR 3 - 3ES4

Talk

MS. Speaker

Title Co.

FLOOR 3 - 3ES4

Talk

Mr. Speaker

Title Co.

FLOOR 3 - 3ES2

Talk

Mr. Speaker

Title Co.

FLOOR 3 - 3ES2

Talk

Mr. Speaker

Company XYZ

FLOOR 3 - 3ES5

Talk

Mr. J. Speaker

Company XYZ

FLOOR 3 - 3ES5

Hackers
Heaven

Soc Defender

Capture the
Flag

Hackers
Heaven

Soc Defender

Capture the
Flag

0700

0800

Location

PANEL DISCUSSION 1

Mrs. Speaker 1

Title

Mrs. Speaker 2

Title

Mrs. Speaker 3

Title

Mrs. Speaker 4

Title

FLOOR 2 - TEXAS BALLROOM

VILLAGES
CLOSE

0830

0930

Location

MOVIE: 300 Popcorn
and Drinks provided

FLOOR 2 - TEXAS BALLROOM

Day 3

Track 1 3SAB CYBER 101

Track 2 3ES4 RED TEAM TOOLS & TACTICS

Track 3 3ES2 BLUE TEAM DEFENDERS

Track 4 3ES5 BREAKING CYBER

Track 5 3SAB SCADA - CRITICAL INFRASTRUCTURE

Villages & Events

0800

0900

Location

Registration / Coffee An arrangement of fresh fruit, granola bars and danish will be
provided

FLOOR 2 - TEXAS BALLROOM/PRECONVENTION AREA

0900

1000

Location

Keynote

Mr. Speaker

Well known Person

Speaker 1

Well known Person

FLOOR 2 - TEXAS BALLROOM

1000

1100

Location

1100

1200

Location

Talk

Agent1

Security Title

FLOOR 3 - 3SAB

Talk 001

Agent

Security Company

FLOOR 3 - 3SAB

Talk

MS. Speaker

Title

FLOOR 3 - 3ES4

Talk

MS. Speaker

Title 1.

FLOOR 3 - 3ES4

Talk

Mr. Speaker

Title.

FLOOR 3 - 3ES2

Talk 6

Mr. Speaker

Title Co.

FLOOR 3 - 3ES2

Talk 0

Mr. Speaker

Company XYZ

FLOOR 3 - 3ES1

Talk

Mr. Speaker

Company XYZ

FLOOR 3 - 3ES1

Expert Level Threat Hunting on various ICS Networks

ICS 203

2 Hr Hands on
Training & Labs

Mr. Dan Gunter

Principal Threat Analyst

FLOOR 3 - 3ES5

Hackers
Heaven

Soc Defender

Capture the
Flag

Hackers
Heaven

Soc Defender

Capture the
Flag

1200

0100

Location

LUNCH

FLOOR 2 - TEXAS BALLROOM

0100

0200

Location

Talk t1

Speaker

Title

FLOOR 3 - 3SAB

Talk t2

Mr. Speaker

Title.

FLOOR 3 - 3ES4

Talk t3

MS. Speaker

Title

FLOOR 3 - 3ES2

Talk t4

MS. Speaker

Title

FLOOR 3 - 3ES1

Talk t5

Mr. Speaker

Title

FLOOR 3 - 3ES5

Hackers
Heaven

Soc Defender

Capture the
Flag

0200

0300

Location

Talk t1

Speaker

Title

FLOOR 3 - 3SAB

Talk t2

Mr. Speaker

Title.

FLOOR 3 - 3ES4

Talk t3

MS. Speaker

Title

FLOOR 3 - 3ES2

Talk t4

MS. Speaker

Title

FLOOR 3 - 3ES1

Talk t5

Mr. Speaker

Title

FLOOR 3 - 3ES5

Hackers
Heaven

Soc Defender

Capture the
Flag

0300

0330

Location

Break #2An
arrangement of fresh fruit, granola bars and danish will be
provided